WASHINGTON — Sen. Al Franken made it clear Wednesday he’s a big proponent of converting medical records to digital form, but he acknowledged the “very real and very serious privacy challenges” that come with doing so.
Franken convened his second hearing as chairman of the Senate Subcommittee on Privacy, Technology and the Law on Wednesday to address just that topic. His main complaint: federal agencies directed to enforce digital medical record regulations enacted by Congress have not yet done so.
In 2009, Congress passed the “HITECH Act” as part of the American Reinvestment and Recovery Act, which incentivized doctors and hospitals to switch their records to electronic form as well as impose new penalties for data breaches. Since then, there been a series of incidents in which patients’ information was lost or stolen during or after the transition — among them, the July theft of a laptop containing the private information of 14,000 Fairview patients from a car near the University of Minnesota.
Total, there have been 364 “major breaches” of 18 million patient’s private data since 2009, Franken said. Meanwhile, enforcement of data privacy laws have been lax — out of the 22,500 complaints the Health and Human Services Department has received since 2003, it’s levied only one fine and reached monetary settlements in six others. Of the 495 cases referred to the Department of Justice, only 16 have been prosecuted.
“I think it’s safe to say that we need to do more to protect this data,” he said.
Hennepin County Medical Center privacy officer Kari Myrold said it’s virtually impossible to guarantee the absolute privacy of such records, no matter what steps Congress takes.
“I think every organization is a keystroke away” from an incident like the Fairview theft last summer.
Franken used HCMC as an example of a hospital at the leading edge of medical record digitization. The hospital began electronically storing its patients’ records in 2002 and Myrold told the committee it’s helped improve patient safety and satisfaction. The facility is one of only 4 percent of hospitals to attain a near-perfect rating from a health-care records research group, Myrold said.
HCMC fully implemented its electronic health records system just weeks before the I-35W bridge collapse in August 2007. At the time of the collapse, Franken said, HCMC’s policy was to use paper records during major incidents. They made the switch from paper to electronic that day after helping only two patients.
“When disaster struck, that decision to use electronic health records allowed the Hennepin County Medical Center to tend to those victims more quickly and more effectively,” Franken said.
Deven McGraw, the director of the Center for Democracy and Technology’s Health Privacy Project, agreed that enforcement could be stronger. She also called for more regulations meant to push companies that store digital data to do in more effective ways.
McGraw said she favored “a more comprehensive set of privacy protections for consumer data … This environment, the wild, wild West for data is not an environment of trust.”
Myrold agreed, and Franken echoed the pair after the meeting.
“I think we made it loud and clear here that those regs [regulations] are needed and [agencies] will be more able to enforce once those regs once they are written and there will be more compliance once those regs are written,” he said. “We need the regs. I couldn’t agree more.”
Devin Henry can be reached at firstname.lastname@example.org. Follow him on Twitter: @dhenry